Merge "sepolicy: build error if non-platform classes present"
diff --git a/Android.bp b/Android.bp
index b3e26ba..4973c13 100644
--- a/Android.bp
+++ b/Android.bp
@@ -71,27 +71,95 @@
}
se_cil_compat_map {
- name: "26.0.cil",
+ name: "plat_26.0.cil",
+ stem: "26.0.cil",
bottom_half: [":26.0.board.compat.map"],
- top_half: "27.0.cil",
+ top_half: "plat_27.0.cil",
}
se_cil_compat_map {
- name: "27.0.cil",
+ name: "plat_27.0.cil",
+ stem: "27.0.cil",
bottom_half: [":27.0.board.compat.map"],
- top_half: "28.0.cil",
+ top_half: "plat_28.0.cil",
}
se_cil_compat_map {
- name: "28.0.cil",
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
bottom_half: [":28.0.board.compat.map"],
- top_half: "29.0.cil",
+ top_half: "plat_29.0.cil",
}
se_cil_compat_map {
- name: "29.0.cil",
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- // top_half: "30.0.cil",
+ // top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "system_ext_27.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "system_ext_28.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "product_27.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "product_28.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ // top_half: "product_30.0.cil",
+ product_specific: true,
}
se_cil_compat_map {
diff --git a/Android.mk b/Android.mk
index 233d20d..c4d6fd3 100644
--- a/Android.mk
+++ b/Android.mk
@@ -203,6 +203,19 @@
with_native_coverage := true
endif
+treble_sysprop_neverallow := true
+ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
+ treble_sysprop_neverallow := false
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
+ $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -246,7 +259,7 @@
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
plat_mapping_file \
- $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ $(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
plat_sepolicy_and_mapping.sha256 \
@@ -352,7 +365,10 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+LOCAL_REQUIRED_MODULES += \
+ system_ext_mapping_file \
+ $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
endif
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -375,7 +391,10 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_mapping_file
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file \
+ $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
endif
ifdef HAS_PRODUCT_SEPOLICY_DIR
@@ -494,6 +513,7 @@
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -539,6 +559,7 @@
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -567,6 +588,7 @@
$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -596,6 +618,7 @@
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -637,6 +660,7 @@
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -682,6 +706,7 @@
$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -729,6 +754,7 @@
$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -784,6 +810,7 @@
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -956,6 +983,7 @@
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1011,6 +1039,7 @@
$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1337,6 +1366,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
@@ -1545,6 +1575,7 @@
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1575,6 +1606,7 @@
$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1673,6 +1705,7 @@
built_plat_svc :=
built_vendor_svc :=
built_plat_sepolicy :=
+treble_sysprop_neverallow :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/apex/com.android.permission-file_contexts b/apex/com.android.permission-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.permission-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 6eef2f2..f304e62 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -51,7 +51,7 @@
func cilCompatMapFactory() android.Module {
c := &cilCompatMap{}
c.AddProperties(&c.properties)
- android.InitAndroidModule(c)
+ android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
return c
}
@@ -65,6 +65,8 @@
// other modules that produce source files like genrule or filegroup using
// the syntax ":module". srcs has to be non-empty.
Bottom_half []string
+ // name of the output
+ Stem *string
}
type cilCompatMap struct {
@@ -72,6 +74,7 @@
properties cilCompatMapProperties
// (.intermediate) module output path as installation source.
installSource android.Path
+ installPath android.InstallPath
}
type CilCompatMapGenerator interface {
@@ -100,11 +103,13 @@
continue
}
if fg, ok := module.(*fileGroup); ok {
- // Core compatibility mapping files are under system/sepolicy/private.
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
- // Partner extensions to the compatibility mapping in must be located in
- // BOARD_PLAT_PRIVATE_SEPOLICY_DIR
- expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ if ctx.ProductSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.ProductPrivateSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemExtPrivateSrcs()...)
+ } else {
+ expandedSrcFiles = append(expandedSrcFiles, fg.SystemPrivateSrcs()...)
+ }
} else {
ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup", m)
}
@@ -117,6 +122,8 @@
}
func (c *cilCompatMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
+
srcFiles := expandSeSources(ctx, c.properties.Bottom_half)
for _, src := range srcFiles {
@@ -166,7 +173,10 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping")
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
+ if c.properties.Stem != nil {
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
+ }
})
return ret
}
diff --git a/definitions.mk b/definitions.mk
index 1a7d06e..6bb4f24 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -11,6 +11,7 @@
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+ -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
diff --git a/private/access_vectors b/private/access_vectors
index 275b9af..66c1b79 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -446,6 +446,7 @@
{
nlmsg_read
nlmsg_write
+ nlmsg_readpriv
}
class netlink_tcpdiag_socket
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..e8397ef 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e5c6aee..eb798e3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,9 +37,8 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
@@ -238,15 +237,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-# They must use ASharedMemory NDK API instead.
-neverallow {
- all_untrusted_apps
- -ephemeral_app
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
diff --git a/private/bug_map b/private/bug_map
index 7f8bdcf..dd897e0 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -17,12 +17,14 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
netd priv_app unix_stream_socket b/77870037
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/112609936
system_server zygote process b/77856826
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 9031d15..30af58c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -2,3 +2,4 @@
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index 628abfc..af4da8a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1 +1,3 @@
-;; This file can't be empty.
+(typeattribute vendordomain)
+(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
+(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 88257f1..133c9b2 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -11,12 +11,14 @@
cold_boot_done_prop
platform_compat_service
ctl_apexd_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
hal_tv_tuner_hwservice
init_svc_debug_prop
linker_prop
+ mock_ota_prop
ota_metadata_file
art_apex_dir
system_group_file
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index ecedaba..508653c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -51,9 +51,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
diff --git a/private/file_contexts b/private/file_contexts
index 8c67e1f..3e989e7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -357,9 +357,9 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/vendor/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
@@ -383,9 +383,9 @@
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
diff --git a/private/heapprofd.te b/private/heapprofd.te
index fca3c58..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -35,9 +35,7 @@
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 50cbd8c..15c0f3f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -56,16 +56,12 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
# Allow heap profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
-allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
-
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 6926412..5050e1a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -45,5 +45,3 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
-
-allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/network_stack.te b/private/network_stack.te
index 4fd31bd..6db7d8f 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -67,3 +67,6 @@
# dumpstate support
allow network_stack dumpstate:fd use;
allow network_stack dumpstate:fifo_file write;
+
+# Create/use netlink_tcpdiag_socket to get tcp info
+allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..8c7c8af 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -13,10 +13,7 @@
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f9409b9..6f0cb4f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -139,9 +139,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
diff --git a/private/property_contexts b/private/property_contexts
index 55445ec..16c8d93 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -192,6 +193,7 @@
persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
diff --git a/private/service_contexts b/private/service_contexts
index 2f2f4c7..2f4a2f8 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -32,6 +32,7 @@
com.android.net.IProxyService u:object_r:IProxyService_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
+platform_compat_native u:object_r:platform_compat_service:s0
connectivity u:object_r:connectivity_service:s0
connmetrics u:object_r:connmetrics_service:s0
consumer_ir u:object_r:consumer_ir_service:s0
diff --git a/private/shell.te b/private/shell.te
index 67610b1..975fde4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -34,9 +34,7 @@
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index daba163..e696fe5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,9 +68,7 @@
')
# Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index a7f9b13..3e3d8eb 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,8 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
# Get file context
allow system_server file_contexts_file:file r_file_perms;
# access for mac_permissions
@@ -598,6 +600,7 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_storage_native_boot_prop)
set_prop(system_server, device_config_sys_traced_prop)
# BootReceiver to read ro.boot.bootreason
@@ -628,6 +631,9 @@
# Read gsid.image_running.
get_prop(system_server, gsid_prop)
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -950,6 +956,7 @@
device_config_runtime_native_boot_prop
device_config_runtime_native_prop
device_config_media_native_prop
+ device_config_storage_native_boot_prop
device_config_sys_traced_prop
}:property_service set;
@@ -1002,6 +1009,12 @@
allow system_server apex_data_file:dir { getattr search };
allow system_server apex_data_file:file r_file_perms;
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..28538da 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -6,9 +6,7 @@
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 45aeddc..2091f2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 249c33b..f37cadc 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,9 +135,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
@@ -176,6 +174,3 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
-
-# Allow (rw_file_perms - open) access to /dev/ashmem.
-allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/zygote.te b/private/zygote.te
index 66e14b3..d5e5420 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,7 +53,7 @@
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_device:chr_file execute;
+allow zygote ashmem_libcutils_device:chr_file execute;
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
diff --git a/public/app.te b/public/app.te
index ea3cf15..030aba5 100644
--- a/public/app.te
+++ b/public/app.te
@@ -390,7 +390,7 @@
neverallow appdomain tee_device:chr_file { read write };
# Privileged netlink socket interfaces.
-neverallow appdomain
+neverallow { appdomain -network_stack }
domain:{
netlink_tcpdiag_socket
netlink_nflog_socket
diff --git a/public/domain.te b/public/domain.te
index 79a9ed4..9ebe4e0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -70,17 +70,11 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow {
- domain
- # TODO(b/113362644): route coredomain to libcutils.
- #-coredomain
- -mediaprovider
- -ephemeral_app
- -isolated_app
- -untrusted_app_all
-} ashmem_device:chr_file rw_file_perms;
-# This device is used by libcutils.
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
@@ -1380,3 +1374,12 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index b42005a..af7d96a 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -10,6 +10,7 @@
set_prop(flags_health_check, device_config_netd_native_prop)
set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
set_prop(flags_health_check, device_config_sys_traced_prop)
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
diff --git a/public/init.te b/public/init.te
index 3a59641..06a33a6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -286,7 +286,6 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
allow init {
- ashmem_device
binder_device
console_device
devpts
diff --git a/public/net.te b/public/net.te
index afa2a9c..bdef072 100644
--- a/public/net.te
+++ b/public/net.te
@@ -19,6 +19,9 @@
allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
# See changes to the routing table.
allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and initially grant
+# this permission to everything that previously had the nlmsg_read permission.
+allow netdomain self:netlink_route_socket nlmsg_readpriv;
# Talks to netd via dnsproxyd socket.
unix_socket_connect(netdomain, dnsproxyd, netd)
diff --git a/public/property.te b/public/property.te
index 10be0ba..d417628 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,24 +1,6 @@
# Properties used only in /system
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(boottime_prop)
-system_internal_prop(bpf_progs_loaded_prop)
-system_internal_prop(charger_prop)
-system_internal_prop(cold_boot_done_prop)
-system_internal_prop(ctl_adbd_prop)
-system_internal_prop(ctl_apexd_prop)
-system_internal_prop(ctl_bootanim_prop)
-system_internal_prop(ctl_bugreport_prop)
-system_internal_prop(ctl_console_prop)
-system_internal_prop(ctl_dumpstate_prop)
-system_internal_prop(ctl_fuse_prop)
-system_internal_prop(ctl_gsid_prop)
-system_internal_prop(ctl_interface_restart_prop)
-system_internal_prop(ctl_interface_stop_prop)
-system_internal_prop(ctl_mdnsd_prop)
-system_internal_prop(ctl_restart_prop)
-system_internal_prop(ctl_rildaemon_prop)
-system_internal_prop(ctl_sigstop_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
system_internal_prop(device_config_boot_count_prop)
system_internal_prop(device_config_input_native_boot_prop)
@@ -27,61 +9,89 @@
system_internal_prop(device_config_reset_performed_prop)
system_internal_prop(device_config_runtime_native_boot_prop)
system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(dynamic_system_prop)
system_internal_prop(firstboot_prop)
system_internal_prop(gsid_prop)
-system_internal_prop(heapprofd_enabled_prop)
system_internal_prop(init_svc_debug_prop)
system_internal_prop(last_boot_reason_prop)
-system_internal_prop(llkd_prop)
-system_internal_prop(lpdumpd_prop)
-system_internal_prop(mmc_prop)
-system_internal_prop(net_dns_prop)
system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(overlay_prop)
-system_internal_prop(persistent_properties_ready_prop)
system_internal_prop(pm_prop)
-system_internal_prop(safemode_prop)
-system_internal_prop(system_lmk_prop)
-system_internal_prop(system_trace_prop)
-system_internal_prop(test_boot_reason_prop)
-system_internal_prop(time_prop)
-system_internal_prop(traced_enabled_prop)
-system_internal_prop(traced_lazy_prop)
-system_internal_prop(virtual_ab_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_internal_prop(boottime_prop)
+ system_internal_prop(bpf_progs_loaded_prop)
+ system_internal_prop(charger_prop)
+ system_internal_prop(cold_boot_done_prop)
+ system_internal_prop(ctl_adbd_prop)
+ system_internal_prop(ctl_apexd_prop)
+ system_internal_prop(ctl_bootanim_prop)
+ system_internal_prop(ctl_bugreport_prop)
+ system_internal_prop(ctl_console_prop)
+ system_internal_prop(ctl_dumpstate_prop)
+ system_internal_prop(ctl_fuse_prop)
+ system_internal_prop(ctl_gsid_prop)
+ system_internal_prop(ctl_interface_restart_prop)
+ system_internal_prop(ctl_interface_stop_prop)
+ system_internal_prop(ctl_mdnsd_prop)
+ system_internal_prop(ctl_restart_prop)
+ system_internal_prop(ctl_rildaemon_prop)
+ system_internal_prop(ctl_sigstop_prop)
+ system_internal_prop(dynamic_system_prop)
+ system_internal_prop(heapprofd_enabled_prop)
+ system_internal_prop(llkd_prop)
+ system_internal_prop(lpdumpd_prop)
+ system_internal_prop(mmc_prop)
+ system_internal_prop(mock_ota_prop)
+ system_internal_prop(net_dns_prop)
+ system_internal_prop(overlay_prop)
+ system_internal_prop(persistent_properties_ready_prop)
+ system_internal_prop(safemode_prop)
+ system_internal_prop(system_lmk_prop)
+ system_internal_prop(system_trace_prop)
+ system_internal_prop(test_boot_reason_prop)
+ system_internal_prop(time_prop)
+ system_internal_prop(traced_enabled_prop)
+ system_internal_prop(traced_lazy_prop)
+ system_internal_prop(virtual_ab_prop)
+')
# Properties which can't be written outside system
-system_restricted_prop(config_prop)
-system_restricted_prop(cppreopt_prop)
-system_restricted_prop(dalvik_prop)
-system_restricted_prop(debuggerd_prop)
-system_restricted_prop(default_prop)
-system_restricted_prop(device_logging_prop)
-system_restricted_prop(dhcp_prop)
-system_restricted_prop(dumpstate_prop)
-system_restricted_prop(exported2_default_prop)
-system_restricted_prop(exported3_system_prop)
-system_restricted_prop(exported_dumpstate_prop)
-system_restricted_prop(exported_fingerprint_prop)
-system_restricted_prop(exported_secure_prop)
-system_restricted_prop(exported_vold_prop)
-system_restricted_prop(ffs_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(heapprofd_prop)
system_restricted_prop(linker_prop)
-system_restricted_prop(net_radio_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(pan_result_prop)
-system_restricted_prop(persist_debug_prop)
system_restricted_prop(restorecon_prop)
-system_restricted_prop(shell_prop)
system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_radio_prop)
-system_restricted_prop(test_harness_prop)
-system_restricted_prop(theme_prop)
-system_restricted_prop(use_memfd_prop)
-system_restricted_prop(vold_prop)
+
+compatible_property_only(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_restricted_prop(config_prop)
+ system_restricted_prop(cppreopt_prop)
+ system_restricted_prop(dalvik_prop)
+ system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(default_prop)
+ system_restricted_prop(device_logging_prop)
+ system_restricted_prop(dhcp_prop)
+ system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported2_default_prop)
+ system_restricted_prop(exported3_system_prop)
+ system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_fingerprint_prop)
+ system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(exported_vold_prop)
+ system_restricted_prop(ffs_prop)
+ system_restricted_prop(fingerprint_prop)
+ system_restricted_prop(heapprofd_prop)
+ system_restricted_prop(net_radio_prop)
+ system_restricted_prop(pan_result_prop)
+ system_restricted_prop(persist_debug_prop)
+ system_restricted_prop(shell_prop)
+ system_restricted_prop(system_radio_prop)
+ system_restricted_prop(test_harness_prop)
+ system_restricted_prop(theme_prop)
+ system_restricted_prop(use_memfd_prop)
+ system_restricted_prop(vold_prop)
+')
# Properties with no restrictions
system_public_prop(audio_prop)
@@ -128,6 +138,74 @@
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
+# Properties which are public for devices launching with Android O or earlier
+# This should not be used for any new properties.
+not_compatible_property(`
+ # DO NOT ADD ANY PROPERTIES HERE
+ system_public_prop(boottime_prop)
+ system_public_prop(bpf_progs_loaded_prop)
+ system_public_prop(charger_prop)
+ system_public_prop(cold_boot_done_prop)
+ system_public_prop(ctl_adbd_prop)
+ system_public_prop(ctl_apexd_prop)
+ system_public_prop(ctl_bootanim_prop)
+ system_public_prop(ctl_bugreport_prop)
+ system_public_prop(ctl_console_prop)
+ system_public_prop(ctl_dumpstate_prop)
+ system_public_prop(ctl_fuse_prop)
+ system_public_prop(ctl_gsid_prop)
+ system_public_prop(ctl_interface_restart_prop)
+ system_public_prop(ctl_interface_stop_prop)
+ system_public_prop(ctl_mdnsd_prop)
+ system_public_prop(ctl_restart_prop)
+ system_public_prop(ctl_rildaemon_prop)
+ system_public_prop(ctl_sigstop_prop)
+ system_public_prop(dynamic_system_prop)
+ system_public_prop(heapprofd_enabled_prop)
+ system_public_prop(llkd_prop)
+ system_public_prop(lpdumpd_prop)
+ system_public_prop(mmc_prop)
+ system_public_prop(mock_ota_prop)
+ system_public_prop(net_dns_prop)
+ system_public_prop(overlay_prop)
+ system_public_prop(persistent_properties_ready_prop)
+ system_public_prop(safemode_prop)
+ system_public_prop(system_lmk_prop)
+ system_public_prop(system_trace_prop)
+ system_public_prop(test_boot_reason_prop)
+ system_public_prop(time_prop)
+ system_public_prop(traced_enabled_prop)
+ system_public_prop(traced_lazy_prop)
+ system_public_prop(virtual_ab_prop)
+
+ system_public_prop(config_prop)
+ system_public_prop(cppreopt_prop)
+ system_public_prop(dalvik_prop)
+ system_public_prop(debuggerd_prop)
+ system_public_prop(default_prop)
+ system_public_prop(device_logging_prop)
+ system_public_prop(dhcp_prop)
+ system_public_prop(dumpstate_prop)
+ system_public_prop(exported2_default_prop)
+ system_public_prop(exported3_system_prop)
+ system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_fingerprint_prop)
+ system_public_prop(exported_secure_prop)
+ system_public_prop(exported_vold_prop)
+ system_public_prop(ffs_prop)
+ system_public_prop(fingerprint_prop)
+ system_public_prop(heapprofd_prop)
+ system_public_prop(net_radio_prop)
+ system_public_prop(pan_result_prop)
+ system_public_prop(persist_debug_prop)
+ system_public_prop(shell_prop)
+ system_public_prop(system_radio_prop)
+ system_public_prop(test_harness_prop)
+ system_public_prop(theme_prop)
+ system_public_prop(use_memfd_prop)
+ system_public_prop(vold_prop)
+')
+
type vendor_default_prop, property_type;
typeattribute log_prop log_property_type;
@@ -140,10 +218,10 @@
### Neverallow rules
###
-compatible_property_only(`
+treble_sysprop_neverallow(`
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow * {
+# neverallow domain {
# property_type
# -system_property_type
# -product_property_type
@@ -525,6 +603,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-dynamic_system_prop
-gsid_prop
@@ -541,6 +620,7 @@
-lowpan_prop
-lpdumpd_prop
-mmc_prop
+ -mock_ota_prop
-net_dns_prop
-net_radio_prop
-netd_stable_secret_prop
diff --git a/public/property_contexts b/public/property_contexts
index 87bbf93..cae5ebc 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -269,6 +269,18 @@
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+# r/o sanitizer properties, public-readable
+ro.sanitize.address u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.thread u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:exported2_default_prop:s0 exact bool
+
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
diff --git a/public/shell.te b/public/shell.te
index 56196c3..532d05f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,6 +82,8 @@
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index cb0ebd1..88e71d8 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -714,6 +714,15 @@
neverallow heapprofd $1:process signal;
')
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+')
+
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
@@ -724,6 +733,28 @@
allow $1_server dumpstate:fd use;
')
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the owner of each property and accessibility
+# outside the owner.
+#
+# For devices launching with R or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# Also, exported properties must be explicitly marked as "restricted" or "public",
+# depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
@@ -735,14 +766,28 @@
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_internal_prop', `define_prop($1, system, internal)')
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_restricted_prop', `define_prop($1, system, restricted)')
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# system_public_prop(name)
@@ -753,14 +798,28 @@
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_internal_prop', `define_prop($1, product, internal)')
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_restricted_prop', `define_prop($1, product, restricted)')
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# product_public_prop(name)
@@ -771,14 +830,28 @@
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:file no_rw_file_perms;
+ ')
+')
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:property_service set;
+ ')
+')
###########################################
# vendor_public_prop(name)
diff --git a/public/vendor_init.te b/public/vendor_init.te
index f458d77..21a9222 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,6 +206,7 @@
-device_config_runtime_native_boot_prop
-device_config_runtime_native_prop
-device_config_media_native_prop
+ -device_config_storage_native_boot_prop
-device_config_sys_traced_prop
-restorecon_prop
-netd_stable_secret_prop
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 5e8e054..0195e5f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -54,7 +54,7 @@
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
$(version)_compat := $(intermediates)/$(version)_compat
-$(version)_mapping.cil := $(call intermediates-dir-for,ETC,$(version).cil)/$(version).cil
+$(version)_mapping.cil := $(call intermediates-dir-for,ETC,plat_$(version).cil)/plat_$(version).cil
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2d25677..8830784 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -22,8 +22,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0